Authentication ?
qdivya1 at avnika.corp.mot.com
qdivya1 at avnika.corp.mot.com
Thu Jul 26 16:30:10 UTC 2001
Graeme,
I realize that AUTHENTICATION works against LDAP w/o any problems.
What I really wish to focus on is AUthorization. The idea I had been
mulling over in my mind was something akin to the following:
---------------------------------------------------------------------
For each NewsGroup, create a container group listing the users
that are allowed to access that news group.
The listing can be of two formats, either an explicit list of users, or
a policy/rule that describes a method of qualifying users (or a
combination).
If a "corresponding" container group is not listed for a newsgroup, see if
there is one that exists for its parent newsgroup ... If the parent does
not have a container group, then check its parent etc. ...
A default authorization rule would apply to the "root" news group.
---------------------------------------------------------------------
Hopefully that helps.
Regards
On Thu, 26 Jul 2001 graeme+inn-workers at mathie.cx wrote:
> Date: Thu, 26 Jul 2001 08:15:29 +0100
> From: graeme+inn-workers at mathie.cx
> To: qdivya1 at avnika.corp.mot.com
> Cc: inn-workers at isc.org
> Subject: Re: Authentication ?
>
>
> On Wed, Jul 25, 2001 at 01:38:49PM -0500, qdivya1 at avnika.corp.mot.com wrote:
> >
> > I am interested in exploring two items:
> >
> > (1) Authenticating users against LDAP, and
>
> This works, using pamckpasswd and pam_ldap.
>
> > (2) Authorizing their access into Newsgroups based upon their membership
> > in a group ..
>
> Could you explain what you mean by this? If you mean that only users in
> a particular group (say group 'reader') can login to the news server,
> then that is trivial. Your nnrpd PAM configuration would like something
> along the lines of:
>
> nnrpd auth requisite pam_nologin.so
> nnrpd auth required pam_wheel.so group=reader
> nnrpd auth required pam_ldap.so
>
> If instead you're looking for particular groups to have access to
> particular hierarchies, a bit of hacking would be involved. It would
> be possible to have an authenticator which returns both a user and a
> group[1]. That would require modifying nnrpd/perm.c to grok the newly
> returned field.
>
> It would then be possible to have access stanza which allows access to
> hierarchies based on group. Hrm, seeing as I'm planning on working on
> code in that general area this weekend, I may look at implementing that
> as a first step.
>
> Of course, it's then getting to the stage that the authenticator may as
> well return a Newsgroups: line which lists the newsgroups that a user
> can access...
>
> [1] Possibly a list of groups.
> --
> graeme+sig at mathie.cx http://www.mathie.cx/~graeme/
>
>
Divya Sundaram ----------------------------- CONDITUR IN PETRA
We don't need more strength, or greater opportunity. What we
need is to use what we have. - BASIL S. WALSH
--------- Motorola OneIT -- Enabling the Enterprise ----------
More information about the inn-workers
mailing list